After a spate of lawsuits dating back to the late '90s, the feds step in.

On a warm April morning in 2007, one of the world’s most notorious spammers walked through the doors of the Lloyd D. George Federal Courthouse in Las Vegas. Though the Federal Trade Commission was attempting to collect a $4 million judgment against him, Sanford “Spamford” Wallace showed up to his sworn deposition without a lawyer—and without any of the documents required of him.

Wallace, though nominally cooperative, had been nearly impossible to reach. When attorneys from the social network MySpace had sued him weeks before, the process server tasked with delivering legal documents couldn’t make contact with Wallace and eventually went to the OPM Nightclub where Wallace worked weekends as a $400-a-week disc jockey under the name “DJ MasterWeb.” The process server claimed to have approached Wallace at the club before being intercepted by security guards; the lawsuit papers were literally thrown at Wallace in an attempt to get good service on him.

FTC lawyer David Frankel, who was overseeing Wallace courthouse questioning as part of a separate spam case brought by the government, had resorted to telephone calls, FedEx packages, and e-mails to contact Wallace; he even sent a personal messenger on occasion. Despite the extraordinary measures, Frankel didn’t know when he showed up to court that April morning whether Wallace would actually arrive.

Wallace did arrive. After swearing to tell the truth in his testimony, he explained to Frankel that the problems weren’t the result of malice but were instead caused by utter disorganization. “Let me just state, for the record, that I am chronically disorganized, and that’s one of the reasons it’s so difficult to communicate with me, and some of the things that would appear to the normal person to be uncooperative, it’s actually possible and very often related to the fact that I’m a very disorganized person,” he said at the beginning of his testimony. “I think you’ll see that as we continue this conversation that as a lot of documents haven’t been filed or organized in a very efficient manner by myself, I want to just state for the record that that is something that I could probably have a psychiatrist to verify if I had to.”

“A business that worked”

Yet Wallace had been organized enough to become a massive spammer. Born in 1968, he attended high school in Maplewood, New Jersey, but realized the academic world wasn’t for him. He tried attending college twice, first at SUNY-Buffalo and then at New Jersey’s Ramapo College; he didn’t last a semester at either. He later described himself as “not a good student.”

A note on sourcing

This feature is excerpted, in slightly modified form, from the book The Internet Police: How Crime Went Online, and the Cops Followed by Ars Deputy Editor Nate Anderson. It can currently be purchased as a hardback (Amazon, Barnes & Noble, or local bookstores) or as an e-book (Amazon, iTunes, Barnes & Noble, or Google Play).

Most quotes from Wallace come from the “Deposition of Contempt Defendant Sanford Wallace,” FTC v. Odysseus Marketing and Walter Rines, United States District Court—District of New Hampshire, case no. 05-CV-330-SM, docket nos. 27–32, filed January 23, 2008.

Full footnotes are available in the book.

That didn’t stop him from finding monetary success—and public notoriety—during the mid-1990s with his Pennsylvania company Cyber Promotions. As a heavyset twentysomething with close-cropped hair and glasses, Wallace first spammed fax machines and then moved on to e-mail, believing that he had a legal right to market his wares as he saw fit. Dubbed “Spamford” by opponents, he eventually embraced the nickname and even registered the domain spamford.com. (In 1997, Hormel sent him a letter objecting to the name on the grounds that it used the company’s potted meat SPAM trademark). Unlike other spammers who hid their identities, Wallace regularly tangled in public with antispam crusaders.

Cyber Promotions quickly became so hated that a dozen Internet service providers, including AOL, sued Wallace in the late 1990s, each hoping to halt his flood of junk e-mail despite the lack of antispam laws at the time. Wallace pressed on, but the lawsuits did cramp his business. He settled several of them by agreeing not to spam the particular network at issue, which gradually whittled down the list of places he could send spam without getting into more trouble.

Antispam vigilantes were also after him and his company. They hacked his website, replacing its homepage, and went after the Michigan Internet provider that served Cyber Promotions. As recounted in the 2004 book Spam Kings by Brian McWilliams, Wallace was angry enough about the hacking to offer a $15,000 reward and claimed he was alerting the FBI.

By 1998, the pressure was so intense that Wallace had trouble finding an Internet provider to offer service to his company. In January, a local Philadelphia paper reported that Wallace had returned to his roots in junk faxing despite the fact that federal law now prohibited the practice. Local residents were furious; one managed to get Cyber Promotions delisted from the Better Business Bureau.

In April 1998, Wallace publicly announced his “retirement” from spamming. After several more failed ventures and a failed marriage, he moved to New Hampshire and in January 2002 bought a nightclub called Plum Crazy from Walter Rines, a former spam partner. The club, just outside of Rochester, proved popular; few visitors knew that club owner DJ MasterWeb had such a colorful past.

When Wired magazine visited Plum Crazy in 2003, Wallace appeared to be a changed man. Those lawsuits from Internet providers hadn’t killed his business; “they put me into business—a business that worked,” he said at the time. Even top antispam lawyers were pleased to see the change of heart. The Wired story included a line that at the time seemed perfectly sane: “I think the world of Sanford,” it quoted Pete Wellborn, an Atlanta attorney who won a $2 million judgment against Wallace on behalf of EarthLink in 1998. “He really is a man of his word, unlike the spammers we see now who are either ignorant or common criminals.”

The power of friends

But Wallace soon needed money. Plum Crazy went bankrupt; Wallace sold his house and moved to Las Vegas. He revived an older business of his called SmartBot and soon began a scheme in which he infected computers with spyware that then popped up messages selling an “antispyware program” to clean the infection. This finally moved the feds to action. The Federal Trade Commission (FTC) filed suit against Wallace in 2004 to halt his SpamBot practices. FTC lawyers worked the case for two years and in March 2006 obtained a default judgment of $4 million when Wallace didn’t show up in court to contest the charges.

In October of that year, Wallace’s friend Rines was also hit with an injunction in an online marketing case. While this might have seemed like a good time for each man to lie low, the pair instead partnered again. They were soon at work on a new plan to make money marketing through the newly hot social networks. (The two “wasted little time in violating the Court’s Order” is how FTC lawyers later put it.) Their plan targeted the hugely popular MySpace site with the ultimate goal of directing MySpace users to websites advertising such things as ring tones and adult dating services.

Few people would click such low-quality links if they were clearly presented as ads. The beauty of the Wallace/Rines approach was that because their links appeared as messages from a MySpace user’s actual friends rather than as ads, clickthrough rates were high—as were profits. The FTC estimated that the scheme raked in at least $555,850.04 (the actual tally was probably higher).

Sanford Wallace, from his Google+ page.

The project showed real, if devious, creativity. In order to access people’s MySpace accounts, Wallace and Rines devised a plan to get people to hand over their account information. No subject was off-limits. Could the resurrection of Jesus somehow be used to generate money from sex sites? Yes, it could. In one memorable exploit, the pair used MySpace accounts they had created to send 392,726 unsolicited messages pitching Easter e-cards to other MySpace users. When the recipients clicked the link to view the online card, they were asked if they would like to “forward” the card to their own friends. They did so by entering their MySpace password and username into a form that looked a lot like the actual MySpace log-in page; Wallace and Rines would then add the accounts to their database. Later, they would log into these accounts and spam links to people’s friends, advertising whatever websites were willing to pay them. Visitors to the Easter e-card site who tried to leave the page without divulging their MySpace credentials were simply redirected to the advertising sites.

Even for a network the size of MySpace, which had 50 million registered users in early 2006, Wallace quickly became a serious problem. As the technical side of the operation, he used automated tools to log in to more than 300,000 MySpace accounts and send more than 890,000 messages with links. The MySpace abuse team received more than 800 complaints about this behavior. In early 2007, the company filed a lawsuit against Wallace, and the FTC soon went after both men for violating the injunctions against more spamming. But Wallace defended his actions.

During his deposition with Frankel, the FTC lawyer, Wallace insisted that the messages he sent to other MySpace users weren’t “unsolicited” at all. This was the beauty of sending links from one MySpace user to the user’s friends. “A message between two friends is not defined as ‘unsolicited’ by several standards,” Wallace said. “If I call you up tomorrow and ask you if you’d like me to send you a document, is that an unsolicited phone call, or do we have an existing relationship?”

Besides, this wasn’t e-mail in the traditional technical sense, he said. “It’s not something coming from a stranger with a fake return address like the CAN-SPAM act is apparently trying to address... “This is friend to friend communication, and we don’t evade any type of friend to friend blocking techniques. We don’t trick in any way. We don’t trick people into getting messages from their friends. It’s based solely on their friend’s action [in giving log-in information to Wallace].” Wallace insisted that he had found a novel, legal way to market websites. “I’ve just been working with [Rines] on MySpace-related activities, advertising and Internet traffic and things of that sort, nothing in violation of your order,” he said.

Frankel let it go and turned to the question of the money. Why hadn’t Wallace paid the millions he owed the FTC? After all, Wallace had pulled in more than $4 million from SmartBot alone and was earning hundreds of thousands from his work on MySpace. Wallace insisted he was in debt, that he no longer had a credit card because “I basically could not pay off some of my credit card bills,” and that he had made big payments to six casinos for gambling debts—including $350,000 to the MGM Grand Mirage. But beyond that, he was maddeningly vague.

He said he could not recall the amounts he had paid to other casinos. He claimed to have no real idea of the total income he had made over the years. And he could not explain what had happened to all of his money:

Q. [Frankel] Well, here’s the kicker with all that. What happened to all this money? What happened to the $4 million plus, where is it today?

A. [Wallace] Most of it was spent, I had debts and all this has to be—all this has to be reconciled through the use of this bank account which I would like to get cleared and taken care of with you, so that you can see exactly where the monies went. It’s all pretty much a pretty obvious story if you look at the bank.

Q. What’s your—give me the general answer. What happened to the money? Right now you’re saying you have to show me documents, but where did the money go? Where is it? It’s a lot of money.

A. Yeah. I mean I had a lot of debt, and honestly I don’t know exactly where the money went. I would have to look at my bank account with you, and I’m not evading your question. I just don’t know how to give a general answer to that. And monies went out and came in for three years.

Q. I’m not a rich guy, but if I had $4 million and I have nothing now, I would have at least some sense as to where the money went.

A. I had over a million dollars in casino debts.

Q. Okay. Grant that. Now, where did the other $3 million go?

A. Again, this is a very impossible question for me to answer without having actual paperwork in front of me to go over specific itemization of what happened to the money and what didn’t happen to the money.

Although he claimed that he currently had only $20,000 in a checking account, Wallace drove a $30,000 car with only 1,500 miles on it, had a $1,100-a-month apartment, and had just purchased a $1,400 watch. How did he afford it all, Frankel asked, on his $400-a-week DJ income? “I could not afford my rent if I did not have the other business,” Wallace admitted, referring to his MySpace activities. When the money got tight, he went back to what he knew.

Frankel was resigned. “I’m trying to help you reform,” he said, as the day of sparring drew to a close, “which is probably not going to happen, but I’m trying.”

Ugh. I remember Spamford and CyberPromo, junking up USENET and my inbox in the late 90s. A quick check through my old email archive even turns up all the "unsubscribe" e-mails I vainly sent to remove@cyberpromo.com.

On one hand, Spamford is an unrepentant sinner; a parasite who bleeds money out of the Internet. However, on the other hand, you've got to admire someone so singularly dedicated. He's like the honey badger of spam—Spamford just don't give a shit.

I was struck by how weak the punishments for spamming are, compared to how punitive the punishments for copyright infringement are.

This disparity speaks to the power of big business in determining how harsh govt-enforced punishments are. Copyright violations can result in huge punitive fines, because of the power of the content lobby. But everyday Joe and Jane have no such lobby and have to continue to suffer harassment from spammers.

In jail away from a computer is the only way anyone is going to stop him.

"Few people would click such low-quality links if they were clearly presented as ads. The beauty of the Wallace/Rines approach was that because their links appeared as messages from a MySpace user’s actual friends rather than as ads, clickthrough rates were high—as were profits. The FTC estimated that the scheme raked in at least $555,850.04 (the actual tally was probably higher)."

Funny to think now that has become of a practice from Google and Facebook. He was just ahead of his time! Other than stealing people's login info.

It is true that we need tougher laws to stop spam. But today most spam comes from foreign countries, and is sent from hacked computers. So it's hard to begin the process by arresting those responsible.

Operating systems need to be secure, so there simply are no vulnerabilities to be exploited.

Countries that give safe harbor to spammers need to be disconnected from the Internet.

The FBI investigated Wallace’s Facebook activities for two years before the government finally filed its case, charging that that Wallace had connected to Facebook from 143 different, proxied IP addresses “in order to deceive Facebook” and had sent 27 million pieces of spam through 500,000 compromised Facebook accounts.

Why would Facebook accept over 3000 connections through a single proxy?

Seems more an article from the "where are they now" file than anything else. Wallace is wholly unremarkable in the context of the cyber crime happening today. Like some others, I can grudgingly admire the guy's persistence, and the last time I check, he hasn't invaded Poland.

This post previously contained my (angry) thoughts on Ars own flawed spam filtering issues. Ars is filtering their comments using a broken service called blockforumspam. My ip was recorded on this website in the past, and I am unable to have it removed (the website is not being maintained). I've decided to use the ars contact us form in an effort to get this resolved. If ars is unresponsive, I will repost my comment. Until then, i'm avoiding creating a situation by removing this comment altogether.

It's odd that this article about spam is an excerpt from a book written by Nate, as is noted from the huge "ad" on page 1 under the ridiculous "A note on sourcing"..with multiple links to purchase said book. This thing stinks like spam.

I was struck by how weak the punishments for spamming are, compared to how punitive the punishments for copyright infringement are.

This disparity speaks to the power of big business in determining how harsh govt-enforced punishments are. Copyright violations can result in huge punitive fines, because of the power of the content lobby. But everyday Joe and Jane have no such lobby and have to continue to suffer harassment from spammers.

Yup, punch your neighbor in the nose for being a dick, get caught with a bag of weed the next year, and shoplift a $20 item the year after, and you can land in jail for life on the three strikes rules. No fucking around there either, they don't need more and more evidence every time you ignore them, they kick your face in the curb and crank on the cuffs.

This is how you can tell the "justice" system is mostly a peon-herding mechanism, and that the operational domain of the rich pricks is pretty much free range.

Yup, punch your neighbor in the nose for being a dick, get caught with a bag of weed the next year, and shoplift a $20 item the year after, and you can land in jail for life on the three strikes rules. No fucking around there either, they don't need more and more evidence every time you ignore them, they kick your face in the curb and crank on the cuffs.

This is how you can tell the "justice" system is mostly a peon-herding mechanism, and that the operational domain of the rich pricks is pretty much free range.

This is why it is important, that if you are destined to commit crimes, that you commit them on the federal civil level and not on the local criminal level.

Few people would click such low-quality links if they were clearly presented as ads.

And yet click they do, day after day.

Spammers have a lot to answer to, but so do the idiots who bankroll them because of a complete lack of judgement. Everyone who buys Viagra or a fake Rolex by way of a spam advertisement feeds the same machine that then pollutes your inbox. I hope you enjoy your bling and boners, assholes.

Say you’re a spammer with a hot new idea to try out on a new social network. The worst-case scenario is that you are (1) found out, (2) actually pursued in court, and (3) eventually forced to pay back the money. The best case is that the government gives up and you end up with all the cash.

Where is the IRS in all this? Is there a special filing exemption for spammers that I'm not aware of?

This story really shows the absolute worthlessness of civil court when judges don't want to rock any boats, as anyone who's ever had to sue a crooked independent contractor knows. The judge is perfectly happy to award damages so he can make his tee time, but asking for any actual enforcement of that is all but impossible unless you have a very sympathetic sheriff.

Judges will virtually never authorize any kind of seizure even when they supposedly give you a judgment and lien, and when they do, law enforcement is often reluctant to allow a lawful order. Even those willing to issue a warrant for arrest for a no-show will rescind it as soon as they appear, possibly years later, then they can make their promises and disappear without paying a dime again.

Yup, punch your neighbor in the nose for being a dick, get caught with a bag of weed the next year, and shoplift a $20 item the year after, and you can land in jail for life on the three strikes rules. No fucking around there either, they don't need more and more evidence every time you ignore them, they kick your face in the curb and crank on the cuffs.

This is how you can tell the "justice" system is mostly a peon-herding mechanism, and that the operational domain of the rich pricks is pretty much free range.

There is no 3-strikes-for-life law that applies for misdemeanors. (Although Texas, where three-strikes originated, didn't update its felony limits from their time of statehood until the 1980's, putting someone in prison for life for $230 in theft in 1974, including one $30 bad check.) Most have been now reformed to require violent felonies.

However, get into three bar fights, or steal three cars (in states without the violence requirement) and you're pretty much done if your DA doesn't like you.

Judges will virtually never authorize any kind of seizure even when they supposedly give you a judgment and lien, and when they do, law enforcement is often reluctant to allow a lawful order. Even those willing to issue a warrant for arrest for a no-show will rescind it as soon as they appear, possibly years later, then they can make their promises and disappear without paying a dime again.

Well it is a civil action. If the type of acts are harmful or costly across society itself, then the correct course of action is for the legislature to criminalise them so that actual punitive remedies can be dealt.

A possible reason for the ineffectiveness of anti-spam campaigns is that lobby pressure from Google and Facebook probably hold back effective laws as their advertising is trending more and more into territory once reserved for scum-dog spammers.

I'm surprised how many people here want to "solve" these kinds of issues with new laws that send these kinds of pests to jail. All you are doing is playing a game of whack a mole. There are enough people, too many in fact, in prison already as it is. Prisons should be for violent criminals exclusively.

Rather than spend the money on paying for the imprisonment of non-violent criminals, we should use our resources more effectively and humanely. In the cases of drugs, towards rehabilitation/detox centers and needle programs etc. For prostitution, on medical programs that help treat, screen, and prevent STD transmission.

In the case of these internet nuisances, to building an infrastructure that makes these types of scammers unable to operate so that we can safely ignore them, for example by helping software companies close the loopholes, improve sandboxing of their APIs, and building more effective anti-phishing/malware/virus removal tools.

Our society seems to always want to try for a "quick fix", always attacking the symptoms of the problems rather than resolving the underlying root of the issue, so these annoyances don't emerge anymore, or at least not nearly so often.

To be honest this is kind of ridiculous, and it's a broken system. The money owed I'm not interested in, 1 billion or 1 million, he doesn't have that kind of money supposedly, and he isnt going to pay it if he does.What I would be more outraged about is the shear cost of the cases against this guy. Just think how much, not only money, but time has been spent investigating him. I have always said that money can always be earned, or scammed in this case, but time is lost forever once it is spent. The time spent by the judges, lawyers, FBI, FTC, could have been better spent catching so-called "real criminals".

I'm not saying this guy didn't need stopping, but there is a clear disproportionate amount of effort been put into this over the years than he deserved.

Why wasn't he pursued under proper legal charges earlier after the first judgement he failed to pay.

Surely it would make more sense for the court to be an interim holder of the money who then pass it on to the companies in question. Then perhaps it immediately becomes a legal issue of owing the state?

My favorites are the "false premise" marketing calls. I do OK for money, but I spend disproportionate amounts on computers and stereo gear - not cars. My newest car is a ten year old Toyota with about 200,000 miles on it. The family van is an 18 year old Nissan with about the same mileage. So I get a call on my cell one day driving home. "Our record indicate that the warranty on your car is about to expire." I almost broke out laughing, but decided to have some fun instead. Obviously they had no idea what kind of cars I own. "That could well be. Can you tell me which vehicle we're talking about?" I guess I should take the hang-up as a "no."

I get the "The FBI has reported..." robocalls on my office direct line, too, but it seems that the vehicle warranty scammers are more drawn to me. Got an ad in the mail last week. "FINAL NOTICE - Factory Warranty Expiration. Extremely urgent and time sensitive." Oddly enough it wasn't for either of the vehicles mentioned. Instead it was for a 2008 Buick. I have never owned a Buick, but it just so happens that my father-in-law owns a 2008 Buick. So why would Vehicle Protection America think I own the vehicle? Every year we renew the Sirius/XM subscription for the car as a Christmas gift. That is my only tie to that vehicle. So it seems that Sirius/XM has sunken to selling my information to scammers. My opinion of Sirius/XM has since fallen considerably.

Our society seems to always want to try for a "quick fix", always attacking the symptoms of the problems rather than resolving the underlying root of the issue, so these annoyances don't emerge anymore, or at least not nearly so often.

While I agree with your sentiments to fix the main problem rather than patch it, there are times when this is just not possible.

It is said that when you are born you only have a couple of in-built fears, and that is a fear of falling, and loud noises. The absolute basics. The rest of fears are created from experiences, and society as a whole. Fear in this sense is a system of control. People fear the punishment and it keeps them in line. At one point, this was the 10 commandments etc. imposed by religion. Society has now moved on to a system of law and punishment intended to stop people doing "bad" things.

Prisons are overloaded, yes. There are plenty of people who are non-violent offenders, and in some cases not even repeat offenders. There are even circumstantial scapegoats in there. Most of these people who couldn't afford to defend themselves properly. (This is why you get rich kids who run down people let off).

However if you do remove the punishments, what you end up with is going to be more people like this guy. More people who look at this and think "Well I can't go to prison, and my choices are.." as in the article "make a lot of money, or be asked to give back money that i wont pay anyway".

You may have points about rehab centres and STD clinics, but your argument regarding this white-collar sort of crime is completely impotent. You said invest the money in teaching developers to patch holes.. okay where does the money come from? Because it certainly won't come from the criminals, they've probably spent it or washed it already, and then more taxpayer money is spent tracing it.

There are plenty of people who can point at the problems, but finding a solution which enables you to punish those that need it while let off those that don't is a very difficult task. There is no one size fits all rule, which is why we have judges and juries and an entire legal procedure. The only problem is that a legal system is based on trust, trust that the people in power are clean. Unfortunately that isn't always the case.

I'm left wondering what the moral of this entire article is. The only takeaway I have is, "If you're going to do civil criminal cybercrime activities, make sure you live large and blow all your money as you go." Is that about right?

Seems like about the only thing Sanford will end up with when it's all said and done is a slap on the wrist, a judgement for a large sum that will never be collected, and MAYBE a year or two of jail time in a fed lowsec pen. Plenty of time to hatch his next scam while getting three squares, more education and whatever he needs at the taxpayers' expense.

...Funny to think now that has become of a practice from Google and Facebook. He was just ahead of his time! Other than stealing people's login info.

Count me as another who doesn't have much sympathy for the social networks. Yes, they ostensibly sued on behalf of their customers due to the spam content being delivered to them and phished login credentials, but it's not as if any court winnings would be handed back to users.

I'm not a frequent FB user but it's weird how FB spams me by placing ads in my Timeline. The direct mixing of user "editorial" content and ads is unholy. And then when I click the drop down to select why I don't want it ... I always choose "spam" because that's precisely what it is, just like spam in an Inbox.

I'm amazed this guy is still alive, or at the very least hasn't been beaten to a bloody pulp.

Not by the US Government, mind you. Spam is a dirty business! Spammers have been murdered in Russia by rival spammers. In pushing the crap they push, they deal with illegal pharmacies, money laundering, all kinds of malware/spyware/scamware outfits... no doubt tied to organized crime at some level.

What the feds should have done once it reached criminal charges: Offered him a break on the fines/jail time in exchange for ratting out some of his customers. He's so motivated by money he would have fallen for it. Then just sit back and wait for him to turn up in a body bag.